Wirelessly Lockpicking a Smart Card Reader
College best publication award
Flavio D. Garcia, Gerhard de Koning Gans and Roel Verdult were awarded College best publication award April 2014 for their paper Wirelessly lock picking a smart card reader published in International Journal of Information Security, Springer Verlag, 2014.
Summary by Dr Flavio D. Garcia
iClass is a widely used contactless smart card manufactured by HID Global. It was introduced to the market back in 2002 as a secure replacement of its predecessor the HID Prox card. iClass cards are widely used in access control of secured buildings such as Bank of America Merrill Lynch, the International Airport of Mexico City and the United States Navy base of Pearl Harbor among many others . Other applications include secure user authentication such as in the naviGO system included in Dell’s Latitude and Precision laptops; e-payment like in the FreedomPay and SmartCentric systems; and billing of electric vehicle charging such as in the Liberty PlugIns system in the US. iClass has also been incorporated into the new BlackBerry phones which support Near Field Communication (NFC). HID iClass uses a proprietary cipher to provide data integrity and mutual authentication between card and reader. Each card uses a different 64-bit secret key, which is derived from a 56-bit master key that is stored on the iClass readers using a method called `key diversification’.
The manufacturer, following the principles of security by obscurity, kept the precise description of both the cipher and key diversification algorithms secret. HID distinguishes two system configurations for iClass, namely iClass Standard and iClass Elite (a.k.a. High Security). The main differences between iClass Standard and iClass Elite lies in their key management and key diversification algorithms. Remarkably, all iClass Standard cards worldwide share the same master key for the iClass application. This master key is stored in the memory of every iClass reader. Our analysis uncovers this secret key. In iClass Elite, however, it is possible to let HID generate and manage a custom master key for those customers who are willing to pay a higher price. The iClass Elite Program (a.k.a., High Security) uses an additional key diversification algorithm (on top of the iClass Standard key diversification) and a custom master key per system, which is claimed to provide “the highest level of security”.
Although, our research shows that this is not the case as there are a number of serious cryptographic weaknesses both in the cipher and the key diversification algorithms. These weaknesses allow a malicious perpetrator or “attacker” to recover the master key of the system. To do so an attacker only needs 15 authentication attempts with a genuine reader and 5 seconds computation to recover the master key of the system. Having access to the master key the attacker is then able to create its own access cards, undermining the security of the whole system.
In line with the principles of responsible disclosure, the authors have notified the manufacturer HID Global and informed them of these findings back in November 2011. By the time of writing this article, HID has extended their product line with support for AES-enabled Mifare DESFire EV1 cards, which uses standard community-reviewed cryptography and therefore provide higher security levels for those customers considering migration alternatives.